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ENT970827-1 PATENT APPLICATION 

A METHOD AND SYSTEM FOR PROVIDING UPDATED ENCRYPTION KEY 
5 PAIRS AND DIGITAL SIGNATURE KEY PAIRS IN A PUBLIC KEY SYSTEM 

BACKGROUND OF THE INVENTION 
The invention relates generally to methods and systexns for providing updated 
public key pairs in a cryptographic system and more specifically to methods and systems 
10 for providing updated digital signature key pairs and updated encryption key pairs in 
public key systems. 

In typical public key cryptographic systems, digital signature key pairs (a private 
key and a public key) are used to authenticate a digital signature of a client to ensure that 
a message sent by client actually came from the client sending the message. In addition 

1 5 to digital signature key pairs, encryption key pairs are also generally used to encrypt the 
data being sent from one client to another client. Certificates are generated by a manager 
or trusted certification authority for the public keys of the private/public key pair to 
certify that the keys are authentic and valid. The public keys and certificates ^e used for 
two main purposes: verifying digital signatures and encrypting information. The receiver 

20 of a digitally signed e-mail or documents for exan]$)le, uses the pubUc key in the sender's 
certificate to verify the digital signature of the sender. A user wishing to send encrypted 
e-mail first encrypts the e-mail with a random symmetric key, then uses the intended 
receiver's public key to encrypt the s>mmetric key and then attaches the encrypted 
symmetric key to the encrypted e-mail so that the receiver can decrypt the e-mail 

25 Hence, a client unit sending a message sends the data with its digital signature 

along with a certificate. The certificate has the certification authority signature. A 
receiver validates the digital signature by looking at the received certificate. Each cKent 
stores a certification authority public key to verify that the certificate was made by the 
manager. A digital signature certificate typically includes a user public key, a user name 

30 and a signature of the certification authority. Each sender has a copy of its own 

certificate. To send an encrypted message, a sender accesses a directory, such as an 
onboard client cache memory or other certificate storage medium to get a copy of the 



encryption certificate for a specified receiver (other client). For an encrypted mess^e to 
be considered valid, the digital signature must be valid and there can be no certificate 
replication by the certification authority. The use of hybrid encryption formats can be 
used to encrypt a digital signature key for encrypted message transmissioa Typically, 
5 secure key pair update analysis and requests only occurs when a user is logged onto the 
system so if a user does not log on for some period of time, an update may not timely 
occur. For tracking private key expiration, a manager typically sends a validity period of 
a private key on mitialization and the client terminal keeps track of the elapsed period 
Or alternatively, the private key expiration date is embedded in the public key certificate, 
10 However, a problem arises because the encryption certificate and digital signature 

certificates have limited validity periods. If the key pair expires prior to being updated, 
information can be lost or no longer accessible. Also, it is desirable to have a smooth 
transition fi-om old to new encryption key pairs durmg the updating process so changes 
do not cause unnecessary loss of access to information. Although in conventional public 
1 5 key systems a client is supposed to request an encryption key pair update fi-om a manager 
in advance of the key expiry period, conventional pubUc key cryptographic systems 
typically have a fixed default period that is the same for all clients on the system. The 
fixed defeult period is generally a fixed percentage of a total key lifetime that is not 
adjustable by a manager or certification authority. Key lifetime refers to how long a key 
20 is valid. If certain clients in the system are required to have only short key lifetime 
periods, such as temporary contract employees that are required to use the system for 
only a few days or a few monfiis, the fixed default key e3q>iry period does not typically 
allow enough time for the system to update key pairs. 

It is also important that the system allow certificate validation after a certificate 
25 expires, particularly if e-mails are stored or other messages are stored that need to be 
retrieved after an expiry date has occurred. Typically old messages stay encrypted and 
signed usii^ the original encryption key and signature keys. The system revalidates the 
messages each time the data is looked at. Therefore, it is desirable to alloi^ the pubUc 
key to last longer than the private key ejq)iration to be able to retrieve old mess^es sent 
30 with the old private key. However, with variable term contract employees or other users 
that only require variable term access clients in the system, it is desirable to stop public 
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key and private key e^cpirations on the same date. With conventional systems that have 
pre-fixed default settings for all clients, such situations are not adequately 
accommodated. Traditional systems do not generally allow the flexibility to vary 
expiration periods on a per user basis. 
5 Consequently there exists a need for a method and system for providing updated 

digital signature key pairs and encryption key pairs in a public key system that is 
effectively transparent to a user and that allows for selectable variation of expiry periods 
on a per user basis. 

1 0 BRIEF DESCRIPTION OF THE DRAWINGS 

The features of the present invention together with the advantages thereof, may be 
understood by reference to the following description taken in conjunction with the 
acconipanying drawings wherein: 

FIGURE 1 is a block diagram generally depicting a public key cryptographic 
15 system incorporating a method for providiii^ updated digital signature key pairs and 
encryption key pairs in accordance with one embodiment of the invention; 

FIG. 2 is a flowchart generally depicting the operation of the system of FIG. 1 for 
updatmg digital signature key pairs; 

FIG. 3 is a flow diagram generally depicting the operation of the system of FIG. 1 
20 updating an encryption key pair in accordance with one embodiment of the mvention; 
and 

FIG. 4 is a flow diagram generally showing an alternative embodiment where a 
muM-client manager unit generates new digital signature key pair data for each cMent. 

25 DETAILED DESCRIPTION OF THE BSTVENTION 

A method and system is disclosed that provides updated digital signature key 
pairs in a public key system by providing, through a multi-client manager unit, selectable 
expiry data such as digital signature certificate lifetime data, public key expiry data and 
private key expiry data as selectable on a per client basis. The multi-client manager unit 

30 stores selected public key expiry data and private key expiry data for association with a 
new digital signature key pair and associates the stored selected expiry data with the new 
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digital signature key pair to feciiitate a transition from an old digital signature key pair to 
a new digital signature key pair. 

In one embodiment, the system determines a digital signature private key lifetime 
end date and a digital signature certificate creation date upon a user login to the public 
5 key system. The client initiates a d^ital signature key pair update request or encryption 
key pair update request based on at least two criteria both of which must be met. The 
requests are based on whether a difference between a current date and the digital 
signature private key lifetime end date (tl) or encryption private key lifetime date is less 
than an absolute predetermined period of time (days) and whether the difference between 
10 the current date and the digital signature private key lifetime end date (tl) or encryption 
private key lifetime end date is less than a predetermined percentage, such as 50%, of a 
total duration of a digital signature private key Ufetime or encryption private key Ufetime. 
Among other things, this allows tune to effect a key pair update even when key lifetimes 
are only days or weeks long, 
1 5 FIG. 1 shows a public key system 1 0 having a multi-client manager 12 otherwise 

known as certification authority that manages a number of clients 14, 16 and 18 in a 
cryptographic computer network. The multi-client manager 12 accesses a storage 
medium 20 such as storage disc, ROM or RAM or other suitable storage medium. Each 
client accesses a directory 22 which may be in a network database or in a local cache 
20 memory on each client. The directory 22 contains the certificate with a public key for 
encryption, otherwise known as an encryption public key certificate. 

In operation, the digital signature key pair or signing key pair, is created by the 
client 14, 16, or 18, when a user first creates a profile. The client securely stores the 
digital signature private key in a user profile and sends only a verification public key to 
25 the multi-client manager 12 in a secure manner, such as over secure online path 24. A 
digital signature private key is not sent to the multi-client manager and therefore is not 
backed-up in the certification authority database. When the multi-client manager 
receives the digital signature public key from a client, 14, 16 or 1 8, the multi-manager 12 
creates a digital signature certificate for the digital signature public key. The digital 
30 signature certificate contains a verification public key. A copy of the digital signature 



4 



certificate is stored in the multi-manager storage medium 20 and a copy of the certificate 
is returned to the client over secure online path 24. 

Unlike the encryption certificate, a copy of the digital signature certificate is not 
stored in the directory 22. When a user signs a file using the client 14, 16 or 1 8, the 
5 client includes the digital signature certificate with the signed file. Therefore retrieval of 
the digital signature certificate &om the directory is never required. 

FIG. 2 illustrates a method for providing updated digital signature key pairs in a 
public key system using the system of FIG. L In operation, a user logs into a client as 
indicated mM^^ The client determines a digital signature private key lifetime end 
1 0 date and a digital signature certificate creation date upon the user login by analyzing 
expiry data m its own digital signature certificate. The digital signature certificate 
includes data representing the creation date of the certificate, the expiration of the digital 
signature private key and the expiration of the certificate (which is the expiration of the 
public key), as indicated in block 26. Generally, all keys have a specific lifetime except a 
|£ 1 5 decryption private key that never expires. 

m By comparing the date information in the certificate, the client determines 

1 5 whether a difference between a current d^e and the digital signature private key lifetime 

^ end date is less than an absolute predetermined period of time, such as whether the 

h remaining lifetime is one hundred days. If this condition is true, the client next 

^ 20 determines whether the difference between the current date and the digital signature 

private key lifetime end date is less than a manager selectable predetermined percentage 
,,oftotal duration ofa digital signature private key lifetime. This is shown in block 28. 
^» JFhc clTont gcnerates.a digital signature key pair, initiates the digital signature key update 

'^quest and sends the digital signature public key to the manager on the secure online 
25 path 24, The request and public key pair is encrypted usmg the old digital signature 
private key so the manager can verify the d^ital signature. 

The multi-client manager 12 provides selectable e^qpiry data such as Pp}^^^^^ ]^ UtrJ^~-S^ 
expiry data and selectable private key expiry data that is selectable on a per client basis, 
A graphic user interface on the multi-client manager unit is used to facilitate setting of 
30 the selectable expiry data to a desired state on a per client basis. The selectable expiry 
data may be digital signature certificate lifetime data for variably setting a lifetime end 
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date for a digital signature certificate associated with a given client. The selectable 
expiry data may also mckde public encryption key expiry data or other suitable expir>^ 
data. 

Using the user interface, a secmity officer or other authorized user of the multi- 

5 client manager unit 12, selects a certificate lifetime and private key lifetime for each 

selected client on a per client basis so that the cryptographic system 10 can adapt to 

changes to any client in the system. For example in the case of a contractor or temporary 

employee, the manager unit 12 provides a security officer with the ability to select a 

certificate lifetime and private key lifetime as desired. Once selected, the manager unit 

10 12 stores the selected data values for each client in the cUent manager storage medium 20 

in a database, as indicated in block 36. The selected data values should preferably 

facilitate the initiation of an update if the duration between a current date and an expiry 

O date is less than one hundred days or if the duratfon of the current date to the expiry date 

Iq is less than one-half of the total key Ufetime. 

1 5 As shown in block 38, the multi-client manager unit 1 2 determines whether a 

Wl digital signature key pair update request has been received &om a client unit 14, 16 or 1 8, 

jS If no digital signature key pair update request has been received from the client unit, the 

f multi-<;Iient manager unit continues its normal operation and waits to receive such a 

G request. If a client has sent a digital signature key pair update request, the multi-chent 

20 manager unit 12 verifies the authenticity of tjie client based on the digital signature 
^ T as Sh6iJA tO HocK 40 

^ certificate and data from the cUent The protocol for this commumcation may be any 

suitable protocol, but is preferably a PKIX part 3 type protocol standard produced by the 
Internet Engineering Task Force (IETF). The client sending the digital signatiire key pair 
update request also generates the new digital signature key pair as shown in block 42. 
25 The cUent sends the new digital signature key pair to the manager unit 12 as indicated in 
block 44. The manager unit 12 receives the new digital signature key pair from the client 
in response to the digital signature key pair update request. 

After the manager 12 has received the new digital signature key pair from the 
client unit, the manager 12 creates a new digital signature certificate containing the 
30 selected public key e3q)iry data as entered by the security officer, for the client generating 
the digital signature key pair update request The manager 12 associates the selected 
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expiry data with the new key pairs as indicated by linking the selected expiry dafe with 
the public digital signature key as shown in block 46, The manager sends the new digital 
signature certificate to the requesting client on the secure online path 24 as indicated in 
block 48. The manager then waits for another client request or new selection of expiry 
5 data for another client as indicated in block 50. By associating the stored selected expiry 
data with the new digital signature key pair, the manager unit controls the transition for 
updating an old signature key pair to a new digital signature key pair. Also, by providing 
variable e^iry periods on a per client basis^ the manager maintains oversight of the key 
pair updating and allows adaptive usage of clients by many users so that short expiry 
1 0 periods are readily accommodated. 

The multi-client manager 12 is preferably a UNIX based workstation computer or 
server or any other suitable computer. The manager imit preferably performs the above 
identified steps under software control so that the programmed manager computing unit 
S serves as the device for providing the selectable expiry data and associating the selected 

% 1 5 expiry data with the new respective key pairs. The storage medium 20, may contain the 
yi software program for instructing the manager to carry out the above identified steps, 

in The manager 12 also provides variable update privilege control on a per cUent 

f basis to fecilitate denial of updating the digital signature key pair on a per client basis, 

p This may be useful in a situation where a temporary employee attempts to use the system 

V- 20 after termination or after the expiry period. It will be recognized that the user interface 
O may be any suitable user interface such as a Windows based interface which presents a 

security officer with the option of setting expiry dates on a per client basis, 

FIG. 3 shows the operation of the system 10 providing updated encryption key 
pairs in a public key system. The method is substantially similar to that of FIG. 2 except 
25 instead of digital signature key pairs, encryption key pairs are updated. Upon user login, 
the client determines the encryption key lifetime and creation time from the encryption 
]{^Q^ certificate data in the directory as indicated in blocks 60 and 62. ^ hc c li eu l defeam mfe^if 

the remaining key lifetime duration of the public encryption key is less than one hundred 
days and, if so, the client next determines whether the difference between the current date 
30 and the encryption private key lifetime end date is less than a manager selectable 
predetermined percentage, such as 50%, of total duration of a encryption private key 
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lifetime. If these two conditions are met, the client initiates the encryption key pair 
update request to contact the manager to establish a new key pair and generates an 
encryption key pair and sends the public encryption key to the manager by the protected 
digital signature and encrypted message on secure path 24 as shown in block 66. 
5 As described with respect to FIG, 2, the program stored on storage medium 20 for 

the multi-client manager 12 also provides selectable encryption certificate lifetime data 
for each client on a per client basis as indicated in block 68. The selectable encryption 
certificate lifetime data is selectable e?q)iry data which includes public key expiry data 
and selectable private key expiry data. As shown in block 70, the multi-client manager 

10 12 stores the selected public encryption key expiry data aad selectable private encryption 
key expiry data for association with a new encryption key pair. The selected public key 
expiry and selectable private key data is selectable through the xiser mterfece by a 
security officer to define exact expiry data on a per client basis so that different expiry 
periods can be assigned through the manager to different clients. The multi-client 

15 manager unit 12 waits to receive an encryption key pair update request as shown in block 
72. When an encryption key pair update request has been received from a client, the 
manager 12 verifies the authenticity of a client and data sent therewith using PKIX part 3 
protocol as previoxxsly described. This is shown in block 74. The client generates the 
new encryption key pair as indicated in block 76 and sends the new public encryption key 

20 to the manager 12 as shown in block 78. 

The selectable expiry data is encryption certificate lifetime data. The multi-client 
manager 12 allows the encryption certificate lifetime data to be set at a number of days or 
other period for any given client to variably set a lifetime end date for an encryption 
certificate associated with a given client. 

25 As shown in block 80, the manager 12 creates a new encryption certificate with 

the selected expiry data, by associating the selected expiry data with the new key pair to 
fecilitate a transition from an old signature key pair to a new digital key pair. The 
manner sends the new encryption certificate to the requesting client for storage in the 
client directory 22 as indicated in block 82. The manager then waits for another client 

30 request or new selection of expiry data by a security officer as indicated in block 84. 
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FIG. 4 illustrates an alternative embodiment where the manager generates the new 
digital signature key pair for each client in response to receiving the client digital 
signature key pair update request. The steps are the same as those previously described 
with respect to FIG. 2^ however upon verification of authenticity of the client requesting 
5 a new digital signature key pair, the multi-client manager generates the new signature key 
pair for a given client as indicated in block 86, In addition, after associating the 
previously selected expiry data with the new key pairs, the manager sends a new digital 
signature certificate public and private key to the requesting client as indicated in block 
88. 

10 In yet another embodiment, the system 10 may have a manager 12 wherein the 

manager creates and sends a signed message to a selected client's directory entry 
indicating that the client needs to update an encryption key pair or update a signature key 
pair upon determination of an expiry condition. For example, the manager stores a 
certificate expiration message in a client directory entry upon determination by the multi- 

1 5 client manager unit 12 of a digital signature key expiry condition. This helps facilitate a 
digital signature key pair update request or encryption key pair update request by a cUent 
so that the client need not continually determine an expiry period upon every login but 
instead analyzes an encryption certificate or other data in the directory to determine 
whether to send a key update request. 

20 It should be understood that the implementation of other variations and 

modifications of the invention in its various aspects will be apparent to those of ordinary 
skill in the art, and that the invention is not limited by the specific embodiments 
described. It is therefore contemplated to cover by the present invention, any and all 
modifications, variations, or equivalents that fell within the spirit and scope of the basic 

25 underlying principles disclosed and claimed herein. 
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WHAT IS CLAIMED IS: 



1 . A method for providing updated dig|tal signature key pairs in a public key system 
comprising the steps of: 



int manager unit, selectable expiry data 
;electable private key expiry data that is 



providing, through a multi-elk 
including at least pubHc key e3q>iry data and 
selectable on a per client basis; \ 

storing selected public key exkry data and selected private key expiry 
data for association with a new digital signature key pair; and 

associating the stored selected expiry data with the new digital signature 
key pair to fecilitate a transition from an old d gital signature key pair to a new digital 
signature key pair. 

2. The method of claim 1 wherein the seb sctable expiry data is digital signature 
certificate lifetime data for variably setting a lifetime end date for a digital signature 
certificate associated with a given client. 



3, The method of claim 1 further includini 
privilege control on a per client basis to 
key pair on a per client basis. 



\\l the step of providing variable update 
fecilit4te denial of updating the digital signature 



4. The method of claim 1 fiirther comprisi ng the steps of: 

determining whether a digital si gnature key pair update request has been 
received from a client unit; 

receiving a new digital signatur s key pair from the client unit in response 
to the digital signature key pair update request , and 

wherein the step of associating the stored selected expiry data includes 
creating a new digital signature certificate con aining the selected public key expiry data 
selected for the chent generating the digital signature key pair update request. 
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5. The method of claim 1 further coiiiprising the steps of: 

determining a digital signature private key lifetime end date and a digital 
signature certificate creation date upon a iser login to the public key system; 

initiating, by a client unit, a digital signature key pair update request based on 
whether a difference between a current da;e and the digital signature private key lifetime 
end date (tl) is less than an absolute predetermined period of time (days) and based on 
whether the difference between the curren t date and the digital stature private key 
lifetime end date (tl) is less than a predetebnined percentage of a total duration of a 
digital signature private key lifetime. 

6. The method of claim 1 wherein the step of providing selectable expiry data on a 
per client basis includes providing a user interface to facilitate setting of the selectable 
expiry data to a desired state. 



15 7. The method of claim 1 including generating, by the multi-client manner unit, the 
new digital signature key pair for a client in response to the multi-client manager unit 
receiving a digital signature key pair update request. 



8. The method of claim 1 including storing a certificate expiration message in a 
20 client directory entry upon determination by the multi-client manager unit of a digital 

signature key expiry condition to fecilitate a digital signature key pair update request by a 
client. 



9. A method for providing updated encryjjtion key pairs in a public key system 
25 comprising the steps of: 

providing, through a client manager 
public key expiry data and selectable private kpy 
client basis; 

storing selected public key expiiry data for association with a new 
30 encryption key pair; and 



unit, selectable e?q)iry data including 
expiry data that is selectable on a per 



11 



• 



associating the stored selected e> piry data with the new encryption key 
pair to facilitate a transition from an old encryplkon key pair to a new encryption key pair. 

10. The method of claim 9 wherein the step of providing selectable expiry data 
5 includes additionally providing updated digital Signature key pairs, the step of storing 
includes storii^ a new digital signature key pair and the step of associating also includes 



..r 



y QD^ associating the stored selected expiry data to fee: 
signature key pair to a new digital signature key 



litate a transition from an old digital 
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1 1 . The method of claim 1 0 wherein the 
certificate lifetime data for variably setting a li 
certificate associated with a given client and is 
variably setting a Hfetime end date for an encryption 
client. 



sele<?table expiry data is digital signature 
lifefane end date for a digital signature 
ei Lcryption certificate Ufetrtne data for 
certificate associated with the given 
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1 2. The method of claim 1 1 fiorther 
privilege control on a per client basis to 
key pair and the encryption key pair. 



iacludingi the step of providing variable update 
fecilitat^ denial of updating the digital signature 



20 13. The method of claim 1 1 wherein the digital signature certificate includes 
selectable private key lifetime end data. 



1^ 



providing selectable expiry data including 
private key expiry data that is selectable on 



14. A system for providing updated digii^l signature key pairs in a public key system 
comprising: 

25 muhi-client manager means 

at least public key expiry data and selectabL 
a per client basis; 

means, accessible by the 
pubUc key expiry data and selected private 
30 digital signature key pair; and 



jmuli- 



client manager means^ for storing selected 
liey e5q)iry data for association with a new 
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means^ responsive to the stored selected public key expiry data, for 
associating the stored selected expiry data ^ rith the new digital signature key pair to 
facilitate a transition from an old digital sig nature key pair to a new digital signature key 
pair. 

15, The system of claim 14 wherein the ^electable expiry data is digital signature 



certificate lifetime data for variably setting a 
certificate associated with a given client. 



lifetime end date for a digital signature 



16. The system of claim 14 further includ ng 
privilege control on a per cKent basis to fecililate 
key pair on a per client basis. 



means for providing variable update 
denial of updating the digital signature 



17. The system of claim 16 wherein the m ilti-client manager means includes the 
means for associating the stored selected expi y data with the new digital signature key 
pair and wherein the means for providing vari able update privilege control 

1 8. The system of claim 1 4 further compr sing: 

means for determining whethej* a digital signature key pair update request 
has been received from a client unit; 

means for receiving a new digital signature key pair from the client unit in 
response to the digital signature key pair upda te request; and 

wherein the means for associatmg the stored selected expiry data creates a 
new digital signature certificate containing the selected public key expiry data selected 
for the cUent generating the d^ital signature k jy pair update request, 

1 9. The system of claim 14 ftirther cpmprismg: 

means for determining a digital ^g^ature private key Ufetime end date and a 



digital signature certificate creation date 



upon a user login to the public key system; 



cUent means for imtiatir^ a digital signature key pair update request based on 
whether a difference between a current d^te and the digital signature private key lifetime 
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end date (tl) is less than an absolute predetermined period of time (days) and based on 
whether the diJBference between the current date and the digital signature private key 
lifetime end date (tl) is less than a predetpnnined percentage of a total duration of a 
digital signature private key lifetime. 



t 
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20 
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20. The system of claim 14 wherein the means for providing selectable expiry data on 
a per client basis provides a user interface to &cilitate setting of the selectable expiry data 
to a desired state. 



10 2 L A storage medium comprising: 

a stored program for execut 



on by a processor wherein the program 



facilitates providing updated digital signature key pairs in a public key system by: 

allowing entry of se ectable expiry data iacludir^ at least public 
key e?q)iry data and selectable private key expiry data that is selectable on a per client 
basis; 

storing selected pub ic key expiry data and selected private key 
exphy data for association with a new digi lal signature key pair; and 

associating the stored selected expiry data with the new digital 



signature key pair to feciUtate a transition 
digital signature key pair* 



from an old digital signature key pair to a new 



22. The storage medium of claim 21 v herein the stored program allows selection of 
digital signature certificate lifetime data for variably setting a lifetime end date for a 
digital signature certificate associated witli a given client. 

23 . The storage medium of claim 2 1 ^ v^herein the stored program further includes the 
facilitating variable update privilege control on a per client basis to facilitate denial of 
updating the digital signature key pair or a per client basis. 



30 24. The storage medium of claim 21 wherein the stored program fiirther facilitates 
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detennining whether a digital signature key pair update request has been 
received from a client unit; 

receiving a new digital signature Bcey pair from the client unit in response 
^-T to the digital signature key pair update request; and 

5 creatmg a new digital signature certificate containing the selected public 

key expiry data selected for the chent generatingithe digital signature key pair update 
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request. 



25, The storage medium of claim 21 whereii i the stored program further facilitates the 
steps o£ 

determining a digital signature private key lifetime end date and a digital 
signature certificate creation date upon a user login to the public key system; 

initiating, by a client unit, a digital signature key pair update request based on 
whether a difference between a current date and the digital signature private key lifetime 
end date (t 1) is less than an absolute predetermi led period of time (days) and based on 
whether the difference between the current date and the digital signature private key 
lifetime end date (tl) is less than a predetermined percentage of a total duration of a 
digital signature private key lifetime. 

L 

26. The storage medium of claim 1 9 ftvherein the stored program provides a user 
interface to fecilitate setting of the seleciable e5q>iry data to a desired state. 
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ABSTRACT OF THE INVENTION 
An adaptable cryptographic method and system provides updated digital signature 
key pairs in a public key system by providing, through a multi-client manager unit, 
selectable expiry data such as digital signature certificate lifetime data, public key expiry 
data and private key expiry data as selectable on a per client basis. The multi-client 
manager unit stores selected public key expiry data and private key expiry data for 
association with a new digital signature key pair and associates the stored selected expiry 
data with the new digital signature key pair to fecilitate a transition from an old digital 
signature key pair to a new digital signature key pair. 
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